diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index df816020..50d3bada 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -38,7 +38,7 @@ let
       package
     else if sandbox.method == "firejail" then
       let
-        makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { };
+        makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
         vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
       in
         makeSandboxed {
diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix
index 2171611b..8fe397e2 100644
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -2,12 +2,11 @@
 , firejail
 , runCommand
 , runtimeShell
+, sane-sandboxed
 }:
 { pkgName, package, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {} }:
 let
-  # XXX: firejail needs suid bit for some (not all) of its sandboxing methods. hence, rely on the user installing it system-wide and call it by suid path.
-  # firejailBin = "/run/wrappers/bin/firejail";
-  firejailBin = "firejail";
+  sane-sandboxed' = sane-sandboxed.meta.mainProgram;  #< load by bin name to reduce rebuilds
 
   allowPath = p: [
     "noblacklist ${p}"
@@ -93,11 +92,11 @@ let
         mv "$out/bin/$name" "$out/bin/.$name-firejailed"
         cat <<EOF >> "$out/bin/$name"
     #!${runtimeShell}
-    exec ${firejailBin} \
-    --include="${pkgName}.local" \
-    --profile=":$firejailProfileName" \
-    --join-or-start="$firejailProfileName" \
-    -- "$out/bin/.$name-firejailed" "\$@"
+    exec ${sane-sandboxed'} \
+    --sane-sandbox-firejail-arg --include="${pkgName}.local" \
+    --sane-sandbox-firejail-arg --profile=":$firejailProfileName" \
+    --sane-sandbox-firejail-arg --join-or-start="$firejailProfileName" \
+    "$out/bin/.$name-firejailed" "\$@"
     EOF
         chmod +x "$out/bin/$name"
       }
diff --git a/modules/programs/sane-sandboxed.nix b/modules/programs/sane-sandboxed.nix
index 3e2e8626..7d868e70 100644
--- a/modules/programs/sane-sandboxed.nix
+++ b/modules/programs/sane-sandboxed.nix
@@ -29,5 +29,6 @@ stdenv.mkDerivation {
       1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).
       2. to modify sandbox settings without forcing a rebuild of the sandboxed package.
     '';
+    mainProgram = "sane-sandboxed";
   };
 }